Open Source Security
Java Modules Supply Chain Security
The Java Platform Module System arrived in Java 9 and has aged into quiet maturity. What JPMS actually does for supply chain posture in enterprise Java.
Nov 15, 20245 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
The Java Platform Module System arrived in Java 9 and has aged into quiet maturity. What JPMS actually does for supply chain posture in enterprise Java.
JRuby sits at the intersection of the Ruby and Java supply chains, and the security story reflects both. A look at how JRuby's dual nature affects gem security and what defenders should know.
Proc macros are Rust code that runs at compile time with the privileges of the developer. They are one of the most underexamined pieces of the Rust supply chain.
OpenSSF Scorecard crossed 1M scanned repos in October 2024. We break down adoption, score drift, and which checks are actually predictive.
dotnet restore is supposed to be deterministic. In practice it is deterministic in ways that matter less and non-deterministic in ways that matter more.
Native C extensions are the most under-audited part of the Ruby supply chain: how they get built, what can go wrong, and how to monitor them as seriously as you monitor pure-Ruby code.
An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.
Typosquatting remains a steady drumbeat on PyPI. What detection actually looks like when you're trying to catch it at ecosystem scale, and where the interesting edges are.
Cargo feature flags look like a compilation convenience but they are a load-bearing piece of your supply chain posture. Here is why.
Weekly insights on software supply chain security, delivered to your inbox.